Background and Relevant Art
Computer systems and related technology affect many aspects of society. Indeed, the computer system's ability to process information has transformed the way we live and work. Computer systems now commonly perform a host of tasks (e.g., word processing, scheduling, accounting, etc.) that prior to the advent of the computer system were performed manually. More recently, computer systems have been coupled to one another and to other electronic devices to form both wired and wireless computer networks over which the computer systems and other electronic devices can transfer electronic data. Accordingly, the performance of many computing tasks is distributed across a number of different computer systems and/or a number of different computing environments.
Before executing a software program to perform computing tasks, it is often advisable to verify that the software program is legitimate. Verifying the legitimacy of a software program can include checking the software program for malicious behaviors. For example, a software program can be checked to determine if it includes a virus, spyware, a Trojan horse, etc.
However, identifying malicious behavior within a software program is a somewhat ambiguous process that requires specialized computer skills beyond that of an average computer user. For example, network traffic to an unknown host may be malicious or may be a legitimate part of a software program. Without more knowledge, such as, the content of data being set to the unknown host, a typical computer user is not qualified to determine the legitimacy of such network traffic.
Accordingly, there are at least two conventional approaches used to identify malicious behavior within a software program. One approach includes a skilled worker manually analyzing software program code line by line to look for malicious behavior. Analyzing software program code manually is often referred to as “static analysis”, since malicious behavior within a software program can be identified without running the software program.
Another approach includes running a software program in a protected environment, such as, for example, a “sandbox”. During execution, the behavior of the software program is observed, recorded, and analyzed. Analyzing software program code during execution is often referred to as “dynamic analysis”. Unfortunately, there is increased risk associated with dynamic analysis approaches, since a software program has to actually be run (as opposed to manual line by line analysis) to perform the analysis. Even within a protected environment, execution of a software program can expose the environment to malicious behavior within the software program.
Further, when a software program is run in a single environment (e.g., within a sandbox), the software program may not exhibit all possible behaviors. For example, a software program can condition certain behaviors based on environmental data, such as, for example, user name, operating system version, data, time, etc. If the environmental data does not satisfy conditions, malicious behavior may not be revealed. For example, a software program can include malicious behavior that is not performed until after a specified date. Thus, dynamic analysis within a sandbox prior to the specified date would not reveal the malicious behavior.
Some products attempt to lessen the burden on computer users with signature based approaches to detecting code (e.g., viruses) that exhibits malicious behavior. A skilled worker (e.g., at a software security corporation) analyzes code (statically and/or dynamically). When malicious behavior is identified, a signature for code that exhibits the malicious behavior is generated and pushed out to users. Users can then run a program (e.g., a virus scanner) to check their computer for code exhibiting the malicious behavior. The program checks the computer determining if any software programs at the computer system include code matching the signature. If a match is found, the matched software program is indicated as including malicious behavior.
However, signature based approaches to detecting malicious behavior suffer from a number of difficulties. When a signature is generated, there is always some chance that the generated signature also matches code within legitimate software (e.g., in operating system routines). When a signature matches code in legitimate software, a program using the generated signature can incorrectly identify the legitimate software as including malicious behavior. Some programs automatically disable software programs that exhibit malicious behavior. Thus, when legitimate software is incorrectly identified as malicious, the legitimate software can be disabled. Disabling legitimate software can annoy a user and prevent normal use of a computer system (e.g., when the disabled legitimate software is part of an operating system).